Yes, I know, it has been always said on many places.
But maybe this time it is explained more in details?
http://arnold.mcdonald.free.fr/php/Index.php?p=1006
--
AMcD?
http://arnold.mcdonald.free.fr/
But maybe this time it is explained more in details?
http://arnold.mcdonald.free.fr/php/Index.php?p=1006
--
AMcD?
http://arnold.mcdonald.free.fr/
Pretty nice - just remember that "always" is a rather strong word to use when talking about internal kernel structures ;) - and a small fix, use sizeof instead of hardcoding the 128 and 260 values - and better use constants like MAX_PATH+1 .
But a nice text with a professional layout.
But a nice text with a professional layout.
I have the same basic thing in the exception handler that I did for RadASM. Though in that case it's only to find which module a given address is in. But it also has a Windows 9x version...
FindModuleByAddr9x FRAME Address,pModuleName
LOCAL pID :D
LOCAL hSnap :D
LOCAL me32 :MODULEENTRY32
LOCAL hlib :D
LOCAL pCreateToolhelp32Snapshot :D
LOCAL pModule32First :D
LOCAL pModule32Next :D
mov D[me32.dwSize],SIZEOF MODULEENTRY32
invoke LoadLibrary,"Kernel32.dll"
or eax,eax
jnz >
ret
:
mov [hlib],eax
invoke GetProcAddress,[hlib],"CreateToolhelp32Snapshot"
mov [pCreateToolhelp32Snapshot],eax
invoke GetProcAddress,[hlib],"Module32First"
mov [pModule32First],eax
invoke GetProcAddress,[hlib],"Module32Next"
mov [pModule32Next],eax
invoke lstrcpy,[pModuleName],"undetermined"
invoke GetCurrentProcessId
mov [pID],eax
push [pID]
push TH32CS_SNAPMODULE
call [pCreateToolhelp32Snapshot]
mov [hSnap],eax
push offset me32
push [hSnap]
call [pModule32First]
jmp >L2
L1:
mov eax,[me32.modBaseAddr]
mov ecx,[me32.modBaseSize]
add ecx,eax
cmp [Address],eax
jb >
cmp [Address],ecx
ja >
invoke lstrcpy,[pModuleName],OFFSET me32.szModule
jmp >.DONE
:
push offset me32
push [hSnap]
call [pModule32Next]
L2:
or eax,eax
jnz <L1
.DONE
invoke CloseHandle,[hSnap]
invoke FreeLibrary,[hlib]
RET
ENDF
FindModuleByAddrNT FRAME Address,pModuleName
uses edi,esi,ebx
LOCAL pID :D
LOCAL hProcess :D
LOCAL hMods[1024] :D
LOCAL cbNeeded :D
LOCAL modinfo :MODULEINFO
LOCAL hModule :D
LOCAL hlib :D
LOCAL pEnumProcessModules :D
LOCAL pGetModuleInformation :D
LOCAL ModName[MAX_PATH] :B
invoke LoadLibrary,"psapi.dll"
or eax,eax
jnz >
ret
:
mov [hlib],eax
invoke GetProcAddress,[hlib],"EnumProcessModules"
mov [pEnumProcessModules],eax
invoke GetProcAddress,[hlib],"GetModuleInformation"
mov [pGetModuleInformation],eax
invoke lstrcpy,[pModuleName],"undetermined"
mov ebx,[Address]
invoke GetCurrentProcessId
mov [pID],eax
invoke OpenProcess,PROCESS_QUERY_INFORMATION+\
PROCESS_VM_READ,FALSE,[pID]
mov [hProcess],eax
push offset cbNeeded
push 1024
push offset hMods
push [hProcess]
call [pEnumProcessModules]
or eax,eax
jz >>.DONE
mov edi,[cbNeeded]
shr edi,2
mov esi,offset hMods
L1:
mov eax,[esi]
mov [hModule],eax
add esi,4
push SIZEOF MODULEINFO
push offset modinfo
push [hModule]
push [hProcess]
call [pGetModuleInformation]
or eax,eax
jz >.DONE
cmp ebx,[modinfo.lpBaseOfDll]
jg >L2
dec edi
or edi,edi
js >.DONE
jmp <L1
L2:
mov eax,[modinfo.SizeOfImage]
add eax,[modinfo.lpBaseOfDll]
cmp ebx,eax
jl >L3
dec edi
or edi,edi
js >.DONE
jmp <L1
L3:
invoke GetModuleFileName,[hModule],OFFSET ModName,256
invoke GetFileTitle,OFFSET ModName,[pModuleName],256
.DONE
invoke CloseHandle,[hProcess]
invoke FreeLibrary,[hlib]
RET
ENDF
f0dder said
"Pretty nice - just remember that "always" is a rather strong word to use when talking about internal kernel structures "
Sure! Just look over NT internals structures documended over the web, you'll see diferences with my text :-).
"use sizeof instead of hardcoding the 128 and 260 values - and better use constants like MAX_PATH+1"
Good point. Actually, the code has been written very fast :-(. I'll Fix that.
Thanx
--
AMcD?
http://arnold.mcdonald.free.fr/
"Pretty nice - just remember that "always" is a rather strong word to use when talking about internal kernel structures "
Sure! Just look over NT internals structures documended over the web, you'll see diferences with my text :-).
"use sizeof instead of hardcoding the 128 and 260 values - and better use constants like MAX_PATH+1"
Good point. Actually, the code has been written very fast :-(. I'll Fix that.
Thanx
--
AMcD?
http://arnold.mcdonald.free.fr/